Executive Summary

A sophisticated cyber-espionage campaign orchestrated by the Chinese state-sponsored threat actor Flax Typhoon (also known as Ethereal Panda) has been uncovered, targeting organizations globally by transforming legitimate ArcGIS geo-mapping servers into persistent backdoors. By leveraging trusted Java Server Object Extensions (SOEs) and deploying a covert web shell, Flax Typhoon achieved long-term, stealthy access to critical infrastructure and government networks. The attackers further entrenched themselves by installing a renamed SoftEther VPN bridge, enabling encrypted command and control (C2) channels that bypassed traditional security controls. This campaign exemplifies the growing risk of “living-off-the-land” techniques, where adversaries weaponize legitimate software to evade detection and maintain persistence. Organizations using ArcGIS Server—especially versions 11.3, 11.4, and 11.5—are at heightened risk and must act immediately to patch, audit, and monitor their environments.

Threat Actor Profile

Flax Typhoon is a highly capable Chinese advanced persistent threat (APT) group, also tracked as Ethereal Panda and RedJuliett. The group is known for targeting government, critical infrastructure, technology, and utility sectors, with a historical focus on East Asia, particularly Taiwan, but with operations extending to the United States and other regions. Flax Typhoon specializes in stealthy, long-term intrusions, often leveraging valid credentials and trusted software to blend into normal network activity. Their operations are characterized by minimal use of custom malware, a preference for “living-off-the-land” tactics, and a strong emphasis on persistence and lateral movement. The group’s activity aligns with Chinese business hours, and their toolset includes the abuse of SoftEther VPN, exploitation of public-facing applications, and credential harvesting.

Technical Analysis of Malware/TTPs

The attack chain initiated with the compromise of a public-facing ArcGIS Server instance, most likely through weak or reused administrator credentials. Once inside, Flax Typhoon deployed a malicious Java Server Object Extension (SOE), masquerading as a legitimate plugin. This SOE contained a covert web shell, accessible only with a hardcoded authentication key, and exposed a seemingly benign API endpoint—getLayerCountByType—which attackers used to execute arbitrary system commands. This approach allowed malicious traffic to blend seamlessly with legitimate server operations, evading detection by traditional security tools.

Persistence was achieved through multiple vectors. The malicious SOE was embedded in system backups, ensuring that even if the server was restored, the backdoor would reappear. Additionally, the attackers uploaded a renamed SoftEther VPN executable (bridge.exe) to the C:\Windows\System32\ directory, registered it as a Windows service (SysBridge), and configured it to start automatically on boot. This VPN bridge established outbound HTTPS connections to attacker-controlled infrastructure, effectively extending the victim’s internal network to the adversary and enabling encrypted C2 communications that bypassed network-level monitoring.

For lateral movement and credential access, Flax Typhoon scanned internal networks, targeted IT workstations, enabled the Windows RemoteRegistry service, and dumped the Security Account Manager (SAM) database and Local Security Authority (LSA) secrets. Artifacts such as pass.txt.lnk indicated successful credential harvesting. The attackers also demonstrated advanced evasion techniques, such as renaming legitimate utilities, hiding files and directories, and leveraging trusted software to avoid triggering security alerts.

The campaign did not rely on a public CVE or exploit code; instead, it abused valid credentials and legitimate software features, making detection and remediation significantly more challenging.

Exploitation in the Wild

Flax Typhoon’s campaign has been observed in the wild for over a year, with successful compromises reported in government, critical infrastructure, IT, utilities, and municipal sectors. The attackers specifically targeted organizations with public-facing ArcGIS Server instances, particularly those with weak credential hygiene or insufficient network segmentation. Victims were often unaware of the intrusion due to the attackers’ use of legitimate credentials and software, as well as their ability to reinfect systems via compromised backups.

The campaign’s tactics, techniques, and procedures (TTPs) closely match those previously attributed to Flax Typhoon, including the use of SoftEther VPN for C2, operation during Chinese business hours, and a focus on stealth and persistence. The group’s ability to remain undetected for extended periods underscores the effectiveness of their approach and the limitations of traditional, signature-based security controls.

Victimology and Targeting

The primary targets of this campaign have been organizations operating ArcGIS Server versions 11.3, 11.4, and 11.5, across Windows, Linux, and Kubernetes platforms. Sectors affected include government agencies, critical infrastructure providers, utilities, technology firms, and municipalities. While the initial wave of attacks focused on East Asia, particularly Taiwan, evidence suggests that organizations in the United States and other regions have also been targeted. The attackers demonstrated a clear preference for entities with public-facing geo-mapping servers that are integrated with internal networks, maximizing the potential for lateral movement and data exfiltration.

Mitigation and Countermeasures

Immediate action is required to mitigate the risk posed by this campaign. Organizations should apply the latest ArcGIS Server Feature Services Security Patch for versions 11.3, 11.4, and 11.5, as provided by Esri. For Kubernetes deployments, upgrade to ArcGIS Enterprise 11.5 on Kubernetes, as earlier versions will not receive a patch.

Credential hygiene is paramount. Enforce strong, unique passwords and multi-factor authentication (MFA) for all administrative accounts, and conduct regular audits to identify and remediate weak or default credentials. Treat all backups as potential reinfection vectors; validate backup integrity and scan for embedded malicious components before restoration.

Behavioral detection should supplement traditional IOC-based monitoring. Implement rules to detect anomalous activity from SOEs, the creation of suspicious directories (such as C:\Windows\System32\Bridge), registration of new Windows services (e.g., SysBridge), and outbound connections to known C2 infrastructure, including domains under *.softether.net and the IP address 172.86.117[.]230.

Network segmentation is critical to limit lateral movement. Restrict service account privileges and isolate public-facing applications from sensitive internal resources. Regularly review and harden the configuration of all public-facing applications, treating them as high-risk assets regardless of their perceived trustworthiness.

Finally, conduct proactive threat hunting and continuous monitoring for signs of compromise, focusing on behavioral anomalies and the presence of known indicators of compromise (IOCs) associated with this campaign.

References

ReliaQuest: Inside Flax Typhoon’s ArcGIS Compromise https://reliaquest.com/blog/threat-spotlight-inside-flax-typhoons-arcgis-compromise

Microsoft Security Blog: Flax Typhoon using legitimate software to quietly access Taiwanese organizations https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/

BleepingComputer: Chinese hackers abuse geo-mapping tool for year-long persistence https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-geo-mapping-tool-for-year-long-persistence/

MITRE ATT&CK: Flax Typhoon (Ethereal Panda) https://attack.mitre.org/groups/G1014/

ArcGIS Server Feature Services Security Patch (Esri) https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch

DarkReading: China’s Flax Typhoon Turns Geo-Mapping into Backdoor https://www.darkreading.com/application-security/chinas-flax-typhoon-geo-mapping-server-backdoor

CyberScoop: Flax Typhoon can turn your own software against you https://cyberscoop.com/flax-typhoon-hinese-state-hackers-arcgis-backdoor-webshell/

VulnCheck: Flax Typhoon https://www.vulncheck.com/blog/flax-typhoon-linear-merge

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and continuous monitoring capabilities empower security teams to identify emerging threats, prioritize remediation, and strengthen their overall security posture. For more information about how Rescana can help your organization manage cyber risk, or for any questions regarding this advisory, please contact us at ops@rescana.com.